Seth,
We went through this a few years ago when converting to a campus-wide
authentication service. The two big issues for us were password aging
(auditors insisted on aging if the credential was going to be used for any
confidential data access), and enforcing encryption on the network. We were
able to justify 180-day expiration to loosely align with semesters, rather
than use the 90-day business standard our auditors asked for. The ongoing
debate here is whether one credential is a good thing, but the users love
it. I somewhat agree with the "times have changed" arguments against aging,
but you have to consider the regulatory/compliance/audit pressures too. We
hope to move towards two-factor soon, which makes aging a non-issue. Our
rules are minimum 6 chars for regular accounts, minimum 15 for privilege
accounts, must use alphanumerics/specials, 180 day expiration, 25-15-15
lockouts, systems/applications integrating with the service must use
encryption, history 10, and new passwords can't substring match the
previous. Good luck.
Jane Drews
Univ of Iowa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3030 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060421/14c2f129/smime.bin